Re: Indexing PowerShell transcription files

adamsmith47 · ‎10-30-2018

Is there a resource for indexing powershell transcription files?

We're using PowerShell 5.1. I've reviewed the information provided in a 2016 Splunk .conf talk here: https://conf.splunk.com/files/2016/recordings/powershell-power-hell-hunting-for-malicious-use-of-pow...

But the info in the talk isn't truly complete. For instance, our transcription files don't always have the "End time" footer, and can contain multiple headers (Start time:, Username:, RunAs User:, etc) within a "Windows PowerShell transcript start" event.

Is there no TA for this?

Example problem file:

**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026141425
**********************
PS R:\> get-adgroup compliance


DistinguishedName : stuff
GroupCategory     : more stuff
GroupScope        : yup, here's our stuff
Name              : and more stuff
ObjectClass       : and more stuff
ObjectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff



**********************
Command start time: 20181026141442
**********************
PS R:\> get-adgroup compliance |Get-ADGroupMember


distinguishedName : stuff
name              : and more stuff
objectClass       : and more stuff
objectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff

distinguishedName : and more stuff
name              : and more stuff
objectClass       : and more stuff
objectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff

... a few hundred lines later....

**********************
Command start time: 20181026143530
**********************
PS R:\> TerminatingError(Export-Csv): "The process cannot access the file 'stuff' because it is being used by another process."
**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026143530
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The process cannot access the file 'stuff' because it is being used by another process."
export-csv : The process cannot access the file 'stuff' because it is being used by another 
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another 
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand

Notice the lack of:

**********************
Windows PowerShell transcript end
End time: 20181026094046
**********************

Any help is greatly appreciated.

centrafraserk · ‎01-08-2019

Did you ever have any luck with this? I am about to work with these logs and was planning to use the 2016 talk as a base as well. Did you need any more props/transforms than were indicated in the talk?

hubekpeter · ‎01-15-2021

Hi,

enable the invocation headers via GPO or windows registers and the PS will add the timestamps as they show in your post. Google it, or use this article https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Indexing PowerShell transcription files

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

Indexing PowerShell transcription files

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025